California Privacy Agency Assumes Control to Enforce Consumer Privacy Rights
In early July, the California Privacy Protection Agency officially took over the responsibility of enforcing consumer privacy rights from the state Attorney General’s office. While a recent court ruling has temporarily delayed the agency’s enforcement of certain regulations under the California Consumer Privacy Act (CCPA), the agency is swiftly organizing itself to have an immediate impact on personal privacy in the state.
The court ruling does not affect the agency’s enforcement of the CCPA itself or the regulations already adopted by the California Attorney General. Deputy Director of Enforcement Michael Macko emphasized at a public meeting that the court decision does not grant businesses immunity from enforcement and reiterated the agency’s commitment to enforcing the statute approved by California voters in 2020.
The agency outlined three key priorities for its enforcement efforts:
1. Consumer Complaint Portal: The agency launched an online portal for consumers to file complaints directly if they believe a company is not complying with the law. Interestingly, the complaint form does not require complainants to provide their names.
2. Administrative Enforcement Process: The agency described its planned process for administratively enforcing the CCPA, which includes filing a notice of probable cause proceeding, holding a probable cause hearing, filing an accusation, and having an administrative law judge decide on the matter. The agency will then review and decide whether to adopt, amend, or reject the proposed decision.
3. Focus on Growth: The agency intends to bolster its enforcement capabilities by hiring three enforcement attorneys and an assistant chief counsel of enforcement. This expansion aims to handle the expected increase in consumer complaints.
With a well-established administrative process, a motivated deputy director of enforcement, and additional staff, the agency is well-positioned to hit the ground running.
As promised, the agency wasted no time in announcing its first significant action since assuming control. It initiated a review of data privacy practices by connected vehicle manufacturers and related technologies. The review will specifically focus on the consumer information collected by these companies for features such as location sharing, web-based entertainment, smartphone integration, and cameras.
Executive Director Ashkan Soltani highlighted the agency’s intention to inquire into the connected vehicle space to ensure compliance with California law regarding the collection and use of consumer data. Given the considerable number of companies potentially impacted by this review, the agency’s action is ambitious in its scope.
The effectiveness and speed with which the agency ramps up its enforcement, as well as the level of aggressiveness in its approach, remain to be seen. Nonetheless, businesses subject to California’s extensive consumer privacy laws should closely monitor these developments.
Disclaimer: This article is not necessarily reflective of the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Luke Sosnicki, a litigator and partner at Thompson Coburn’s Los Angeles office, advises on litigation and regulatory risks related to federal and state data privacy laws, including the California Consumer Privacy Act.